Hackers have tricked Facebook and Apple into handing over user data with fake emergency data requests.
Apple and Meta have allegedly fallen for bogus emergency data requests.
Apple and Meta (operator of Facebook) shared user data with hackers who made fake urgent data requests to the two companies. This is reported by the Bloomberg news agency. Both Apple and Meta fell for the fake requests in mid-2021 and passed on user information such as phone numbers, IP addresses and addresses, the report says.
Emergency data requests do not require a court order
In connection with criminal investigations, law enforcement agencies often request data from social media platforms. This can be used to identify online account holders who become suspects in a criminal case. Typically, these requests require a search warrant signed by a judge or a subpoena. There is an exception with the so-called emergency data request. This is intended for cases that involve life-threatening situations and leave no time for the usual judicial process.
Fakes via hacked government e-mails possible
With such a fake emergency data request, Apple and Meta were taken in by the hackers. According to a report by Krebs on Security, such fakes are becoming more common. To do this, hackers need access to the e-mail system of a police authority. By impersonating the hacked law enforcement officer, they can forge an emergency data request. Access to the e-mail systems are traded by hackers on the Internet. According to Krebs on Security, the most common users of these fake requests are teenagers.
“Recursion” is behind the requests
The attack on Meta and Apple was allegedly carried out by a hacker group called the Recursion Team. The group has since disbanded. Some members are now part of Lapsus$ , which made headlines for hacking and blackmailing big companies like Microsoft and Nvidia. The falsification of emergency data requests is also said to be common practice among this group.
“We review every data request for legal admissibility and use advanced systems and processes to validate law enforcement requests and detect abuse”
explains Andy Stone, Policy and Communications Director at Meta, to IT magazine The Verge .
“We are known to suspend compromised accounts from requests and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case.”
When asked by The Verge, Apple merely refers to its law enforcement policy. However, the company would not confirm or deny that user data was handed over to the hackers in mid-2021.